Self-managing database system using machine learning

ABSTRACT

A self-managing database system includes a metrics collector to collect metrics data from one or more databases of a computing system and an anomaly detector to analyze the metrics data and detect one or more anomalies. The system includes a causal inference engine to mark one or more nodes in a knowledge representation corresponding to the metrics data for the one or more anomalies and to determine a root cause with a highest probability of causing the one or more anomalies using the knowledge representation. The system includes a self-healing engine, to take at least one remedial action for the one or more databases in response to determination of the root cause.

This patent application is a continuation of and claims priority to U.S.patent application Ser. No. 16/713,348 by Koyyalummal et al., titled“SELF-MANAGING DATABASE SYSTEM USING MAHINE LEARNING,” filed Dec. 13,2019. U.S. patent application Ser. No. 16/713,348 is hereby incorporatedby reference in its entirety for all purposes.

TECHNICAL FIELD

One or more implementations relate to management of database processing,and more specifically to self-managing databases in a distributed systemof a cloud computing environment.

BACKGROUND

“Cloud computing” services provide shared resources, software, andinformation to computers and other devices upon request or on demand.Cloud computing typically involves the over-the-Internet provision ofdynamically scalable and often virtualized resources by a cloud serviceprovider (CSP). Technological details can be abstracted from end-users,who no longer have need for expertise in, or control over, thetechnology infrastructure “in the cloud” that supports them. In cloudcomputing environments, software applications can be accessible over theInternet rather than installed locally on personal or in-house computersystems. Some of the applications or on-demand services provided toend-users can include the ability for a user to create, view, modify,store and share documents and other files.

Cloud computing systems are becoming increasingly more complex andsystem availability has become one of the most important requirementsfor users. A system failure often no longer impacts a single user or asmall set of users, but instead the impact may be widespread and global.Significant downtime directly impacts the trust of users and partners aswell as the reputation of the CSP. The failure of a hardware or softwarecomponent in a cloud computing environment is inevitable, leading to aservice incident. Responding to a typical incident in a large-scale,worldwide cloud computing environment may require the efforts of manypeople, such as system administrators, database experts, softwareengineers, hardware engineers, and project managers to identify andrectify a root cause of the incident.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve to provideexamples of possible structures and operations for the disclosedinventive systems, apparatus, methods, and computer-readable storagemedia. These drawings in no way limit any changes in form and detailthat may be made by one skilled in the art without departing from thespirit and scope of the disclosed implementations.

FIG. 1A illustrates an example computing environment of an on-demanddatabase service according to some embodiments.

FIG. 1B illustrates example implementations of elements of FIG. 1A andexample interconnections between these elements according to someembodiments.

FIG. 2A illustrates example architectural components of an on-demanddatabase service environment according to some embodiments.

FIG. 2B illustrates example architectural components of an on-demanddatabase service environment according to some embodiments.

FIG. 3 is a diagrammatic representation of a machine in the exemplaryform of a computer system within which one or more embodiments may becarried out.

FIG. 4 is a diagram of a self-managing database system using machinelearning according to some embodiments.

FIG. 5 is a diagram of metrics collection according to some embodiments.

FIGS. 6A and 6B are flow diagrams of anomaly detector processingaccording to some embodiments.

FIG. 7 is an example graph of a Z score distribution according to someembodiments.

FIG. 8 is an example diagram of a knowledge representation according tosome embodiments.

FIG. 9 is a flow diagram of causal inference engine processing accordingto some embodiments.

DETAILED DESCRIPTION

A CSP securely stores and manages customer/user data using a databaseinfrastructure. Availability of the database infrastructure isconsidered by many CSPs to be key to business success. A typicaldatabase (DB) infrastructure includes many software and hardwarecomponents such as relational databases, database servers, storage areanetworks (SANs), internal networks, etc. In some cloud computingenvironments, there are hundreds of these DB infrastructure units (alsocalled pods) running at sites worldwide. In some cases, there arethousands of metrics/key performance indicators (KPIs) which arecontinually gathered from DB infrastructure components. The metrics/KPIsindicate the health of the system. At this scale, it's impossible for aDB infrastructure engineer to process all these metrics in real time,identify the root cause of a problem and quickly resolve the problem.The inability to quickly respond to and fix problems affects theavailability of the DB infrastructure.

In response, embodiments of the present invention apply an anomalydetection process along with a Bayesian network as a knowledgerepresentation to enable automatic analysis of relationships betweenmetrics across multiple layers, in real time to determine the root causeof a problem and apply self-healing remediation actions.

FIG. 1A illustrates a block diagram of an example of a cloud computingenvironment 10 in which an on-demand database service can be used inaccordance with some implementations. Environment 10 includes usersystems 12 (e.g., customer's computing systems), a network 14, adatabase system 16 (also referred to herein as a “cloud-based system” ora “cloud computing system”), a processing device 17, an applicationplatform 18, a network interface 20, a tenant database 22 for storingtenant data (such as data sets), a system database 24 for storing systemdata, program code 26 for implementing various functions of the databasesystem 16 (including a visual data cleaning application), and processspace 28 for executing database system processes and tenant-specificprocesses, such as running applications for customers as part of anapplication hosting service. In some other implementations, environment10 may not have all these components or systems, or may have othercomponents or systems instead of, or in addition to, those listed above.In some embodiments, tenant database 22 is a shared storage.

In some implementations, environment 10 is a computing environment inwhich an on-demand database service exists. An on-demand databaseservice, such as that which can be implemented using database system 16,is a service that is made available to users outside an enterprise (orenterprises) that owns, maintains, or provides access to database system16. As described above, such users generally do not need to be concernedwith building or maintaining database system 16. Instead, resourcesprovided by database system 16 may be available for such users' use whenthe users need services provided by database system 16; that is, on thedemand of the users. Some on-demand database services can storeinformation from one or more tenants into tables of a common databaseimage to form a multi-tenant database system (MTS). The term“multi-tenant database system” can refer to those systems in whichvarious elements of hardware and software of a database system may beshared by one or more customers or tenants. For example, a givenapplication server may simultaneously process requests for a largenumber of customers, and a given database table may store rows of datafor a potentially much larger number of customers. A database image caninclude one or more database objects. A relational database managementsystem (RDBMS) or the equivalent can execute storage and retrieval ofinformation against the database object(s).

Application platform 18 can be a framework that allows the applicationsof database system 16 to execute, such as the hardware or softwareinfrastructure of database system 16. In some implementations,application platform 18 enables the creation, management and executionof one or more applications developed by the provider of the on-demanddatabase service, users accessing the on-demand database service viauser systems 12, or third-party application developers accessing theon-demand database service via user systems 12.

In some implementations, database system 16 implements a web-basedcustomer relationship management (CRM) system. For example, in some suchimplementations, database system 16 includes application serversconfigured to implement and execute CRM software applications as well asprovide related data, code, forms, renderable web pages, and documentsand other information to and from user systems 12 and to store to, andretrieve from, a database system related data, objects, and World WideWeb page content. In some MTS implementations, data for multiple tenantsmay be stored in the same physical database object in tenant database22. In some such implementations, tenant data is arranged in the storagemedium(s) of tenant database 22 so that data of one tenant is keptlogically separate from that of other tenants so that one tenant doesnot have access to another tenant's data, unless such data is expresslyshared. Database system 16 also implements applications other than, orin addition to, a CRM application. For example, database system 16 canprovide tenant access to multiple hosted (standard and custom)applications, including a CRM application. User (or third-partydeveloper) applications, which may or may not include CRM, may besupported by application platform 18. Application platform 18 managesthe creation and storage of the applications into one or more databaseobjects and the execution of the applications in one or more virtualmachines in the process space of database system 16.

According to some implementations, each database system 16 is configuredto provide web pages, forms, applications, data, and media content touser (client) systems 12 to support the access by user systems 12 astenants of database system 16. As such, database system 16 providessecurity mechanisms to keep each tenant's data separate unless the datais shared. If more than one MTS is used, they may be located in closeproximity to one another (for example, in a server farm located in asingle building or campus), or they may be distributed at locationsremote from one another (for example, one or more servers located incity A and one or more servers located in city B). As used herein, eachMTS could include one or more logically or physically connected serversdistributed locally or across one or more geographic locations.Additionally, the term “server” is meant to refer to a computing deviceor system, including processing hardware and process space(s), anassociated storage medium such as a memory device or database, and, insome instances, a database application, such as an object-orienteddatabase management system (OODBMS) or a relational database managementsystem (RDBMS), as is well known in the art. It should also beunderstood that “server system”, “server”, “server node”, and “node” areoften used interchangeably herein. Similarly, the database objectsdescribed herein can be implemented as part of a single database, adistributed database, a collection of distributed databases, a databasewith redundant online or offline backups or other redundancies, etc.,and can include a distributed database or storage network and associatedprocessing intelligence.

Network 14 can be or include any network or combination of networks ofsystems or devices that communicate with one another. For example,network 14 can be or include any one or any combination of a local areanetwork (LAN), wide area network (WAN), telephone network, wirelessnetwork, cellular network, point-to-point network, star network, tokenring network, hub network, or other appropriate configuration. Network14 can include a Transfer Control Protocol and Internet Protocol(TCP/IP) network, such as the global internetwork of networks oftenreferred to as the “Internet” (with a capital “I”). The Internet will beused in many of the examples herein. However, it should be understoodthat the networks that the disclosed implementations can use are not solimited, although TCP/IP is a frequently implemented protocol.

User systems 12 (e.g., operated by customers) can communicate withdatabase system 16 using TCP/IP and, at a higher network level, othercommon Internet protocols to communicate, such as the Hyper TextTransfer Protocol (HTTP), Hyper Text Transfer Protocol Secure (HTTPS),File Transfer Protocol (FTP), Apple File Service (AFS), WirelessApplication Protocol (WAP), etc. In an example where HTTP is used, eachuser system 12 can include an HTTP client commonly referred to as a “webbrowser” or simply a “browser” for sending and receiving HTTP signals toand from an HTTP server of the database system 16. Such an HTTP servercan be implemented as the sole network interface 20 between databasesystem 16 and network 14, but other techniques can be used in additionto or instead of these techniques. In some implementations, networkinterface 20 between database system 16 and network 14 includes loadsharing functionality, such as round-robin HTTP request distributors tobalance loads and distribute incoming HTTP requests evenly over a numberof servers. In MTS implementations, each of the servers can have accessto the MTS data; however, other alternative configurations may be usedinstead.

User systems 12 can be implemented as any computing device(s) or otherdata processing apparatus or systems usable by users to access databasesystem 16. For example, any of user systems 12 can be a desktopcomputer, a workstation, a laptop computer, a tablet computer, ahandheld computing device, a mobile cellular phone (for example, a“smartphone”), or any other Wi-Fi-enabled device, WAP-enabled device, orother computing device capable of interfacing directly or indirectly tothe Internet or other network. When discussed in the context of a user,the terms “user system,” “user device,” and “user computing device” areused interchangeably herein with one another and with the term“computer.” As described above, each user system 12 typically executesan HTTP client, for example, a web browsing (or simply “browsing”)program, such as a web browser based on the WebKit platform, Microsoft'sInternet Explorer browser, Netscape's Navigator browser, Opera'sbrowser, Mozilla's Firefox browser, Google's Chrome browser, or aWAP-enabled browser in the case of a cellular phone, personal digitalassistant (PDA), or other wireless device, allowing a user (for example,a subscriber of on-demand services provided by database system 16) ofuser system 12 to access, process, and view information, pages, andapplications available to it from database system 16 over network 14.

Each user system 12 also typically includes one or more user inputdevices, such as a keyboard, a mouse, a trackball, a touch pad, a touchscreen, a pen or stylus, or the like, for interacting with a graphicaluser interface (GUI) provided by the browser on a display (for example,a monitor screen, liquid crystal display (LCD), light-emitting diode(LED) display, etc.) of user system 12 in conjunction with pages, forms,applications, and other information provided by database system 16 orother systems or servers. For example, the user interface device can beused to access data and applications hosted database system 16, and toperform searches on stored data, or otherwise allow a user to interactwith various GUI pages that may be presented to a user. As discussedabove, implementations are suitable for use with the Internet, althoughother networks can be used instead of or in addition to the Internet,such as an intranet, an extranet, a virtual private network (VPN), anon-TCP/IP based network, any LAN or WAN or the like.

The users of user systems 12 may differ in their respective capacities,and the capacity of a particular user system 12 can be entirelydetermined by permissions (permission levels) for the current user ofsuch user system. For example, where a salesperson is using a particularuser system 12 to interact with database system 16, that user system canhave the capacities allotted to the salesperson. However, while anadministrator is using that user system 12 to interact with databasesystem 16, that user system can have the capacities allotted to thatadministrator. Where a hierarchical role model is used, users at onepermission level can have access to applications, data, and databaseinformation accessible by a lower permission level user, but may nothave access to certain applications, database information, and dataaccessible by a user at a higher permission level. Thus, different usersgenerally will have different capabilities with regard to accessing andmodifying application and database information, depending on the users'respective security or permission levels (also referred to as“authorizations”).

According to some implementations, each user system 12 and some or allof its components are operator-configurable using applications, such asa browser, including computer code executed using a central processingunit (CPU), such as a Core® processor commercially available from IntelCorporation or the like. Similarly, database system 16 (and additionalinstances of an MTS, where more than one is present) and all of itscomponents can be operator-configurable using application(s) includingcomputer code to run using processing device 17, which may beimplemented to include a CPU, which may include an Intel Core® processoror the like, or multiple CPUs. Each CPU may have multiple processingcores.

Database system 16 includes non-transitory computer-readable storagemedia having instructions stored thereon that are executable by or usedto program a server or other computing system (or collection of suchservers or computing systems) to perform some of the implementation ofprocesses described herein. For example, program code 26 can includeinstructions for operating and configuring database system 16 tointercommunicate and to process web pages, applications (includingvisual data cleaning applications), and other data and media content asdescribed herein. In some implementations, program code 26 can bedownloadable and stored on a hard disk, but the entire program code, orportions thereof, also can be stored in any other volatile ornon-volatile memory medium or device as is well known, such as aread-only memory (ROM) or random-access memory (RAM), or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital video discs (DVDs),compact discs (CDs), micro-drives, magneto-optical discs, magnetic oroptical cards, nanosystems (including molecular memory integratedcircuits), or any other type of computer-readable medium or devicesuitable for storing instructions or data. Additionally, the entireprogram code, or portions thereof, may be transmitted and downloadedfrom a software source over a transmission medium, for example, over theInternet, or from another server, as is well known, or transmitted overany other existing network connection as is well known (for example,extranet, virtual private network (VPN), local area network (LAN), etc.)using any communication medium and protocols (for example, TCP/IP, HTTP,HTTPS, Ethernet, etc.) as are well known. It will also be appreciatedthat computer code for the disclosed implementations can be realized inany programming language that can be executed on a server or othercomputing system such as, for example, C, C++, HTML, any other markuplanguage, Java™, JavaScript, ActiveX, any other scripting language, suchas VBScript, and many other programming languages as are well known.

FIG. 1B illustrates a block diagram of example implementations ofelements of FIG. 1A and example interconnections between these elementsaccording to some implementations. That is, FIG. 1B also illustratesenvironment 10, but in FIG. 1B, various elements of database system 16and various interconnections between such elements are shown with morespecificity according to some more specific implementations. In someimplementations, database system 16 may not have the same elements asthose described herein or may have other elements instead of, or inaddition to, those described herein.

In FIG. 1B, user system 12 includes a processor system 12A, a memorysystem 12B, an input system 12C, and an output system 12D. The processorsystem 12A can include any suitable combination of one or moreprocessors. The memory system 12B can include any suitable combinationof one or more memory devices. The input system 12C can include anysuitable combination of input devices, such as one or more touchscreeninterfaces, keyboards, mice, trackballs, scanners, cameras, orinterfaces to networks. The output system 12D can include any suitablecombination of output devices, such as one or more display devices,printers, or interfaces to networks.

In FIG. 1B, network interface 20 is implemented as a set of HTTPapplication servers 100 ₁-100 _(N). Each application server 100, alsoreferred to herein as an “app server,” is configured to communicate withtenant database 22 and tenant data 23 stored therein, as well as systemdatabase 24 and system data 25 stored therein, to serve requestsreceived from user systems 12. Tenant data 23 can be divided intoindividual tenant storage spaces 112, which can be physically orlogically arranged or divided. Within each tenant storage space 112,tenant data 114 and application metadata 116 can similarly be allocatedfor each user. For example, a copy of a user's most recently used (MRU)items can be stored in tenant data 114. Similarly, a copy of MRU itemsfor an entire organization that is a tenant can be stored to tenantspace 112.

Database system 16 of FIG. 1B also includes a user interface (UI) 30 andan application programming interface (API) 32. Process space 28 includessystem process space 102, individual tenant process spaces 104 and atenant management process space 110. Application platform 18 includes anapplication setup mechanism 38 that supports application developers'creation and management of applications. Such applications and otherscan be saved as metadata into tenant database 22 by save routines 36 forexecution by subscribers as one or more tenant process spaces 104managed by tenant management process space 110, for example. Invocationsto such applications can be coded using procedural language forstructured query language (PL/SQL) 34, which provides a programminglanguage style interface extension to the API 32. A detailed descriptionof some PL/SQL language implementations is discussed in commonlyassigned U.S. Pat. No. 7,730,478, titled METHOD AND SYSTEM FOR ALLOWINGACCESS TO DEVELOPED APPLICATIONS VIA A MULTI-TENANT ON-DEMAND DATABASESERVICE, issued on Jun. 1, 2010, and hereby incorporated by referenceherein in its entirety and for all purposes. Invocations to applicationscan be detected by one or more system processes, which manage retrievingapplication metadata 116 for the subscriber making the invocation andexecuting the metadata as an application in a virtual machine.

Each application server 100 can be communicably coupled with tenantdatabase 22 and system database 24, for example, having access to tenantdata 23 and system data 25, respectively, via a different networkconnection. For example, one application server 100 ₁ can be coupled viathe network 14 (for example, the Internet), another application server100 ₂ can be coupled via a direct network link, and another applicationserver 100 _(N) can be coupled by yet a different network connection.Transfer Control Protocol and Internet Protocol (TCP/IP) are examples oftypical protocols that can be used for communicating between applicationservers 100 and database system 16. However, it will be apparent to oneskilled in the art that other transport protocols can be used tooptimize database system 16 depending on the network interconnectionsused.

In some implementations, each application server 100 is configured tohandle requests for any user associated with any organization that is atenant of database system 16. Because it can be desirable to be able toadd and remove application servers 100 from the server pool at any timeand for various reasons, in some implementations there is no serveraffinity for a user or organization to a specific application server100. In some such implementations, an interface system implementing aload balancing function (for example, an F5 Big-IP load balancer) iscommunicably coupled between application servers 100 and user systems 12to distribute requests to application servers 100. In oneimplementation, the load balancer uses a least-connections algorithm toroute user requests to application servers 100. Other examples of loadbalancing algorithms, such as round robin and observed-response-time,also can be used. For example, in some instances, three consecutiverequests from the same user could hit three different applicationservers 100, and three requests from different users could hit the sameapplication server 100. In this manner, by way of example, databasesystem 16 can be a multi-tenant system in which database system 16handles storage of, and access to, different objects, data, andapplications across disparate users and organizations.

In one example storage use case, one tenant can be a company thatemploys a sales force where each salesperson uses database system 16 tomanage aspects of their sales. A user can maintain contact data, leadsdata, customer follow-up data, performance data, goals and progressdata, etc., all applicable to that user's personal sales process (forexample, in tenant database 22). In an example of a MTS arrangement,because all of the data and the applications to access, view, modify,report, transmit, calculate, etc., can be maintained and accessed by auser system 12 having little more than network access, the user canmanage his or her sales efforts and cycles from any of many differentuser systems. For example, when a salesperson is visiting a customer andthe customer has Internet access in their lobby, the salesperson canobtain critical updates regarding that customer while waiting for thecustomer to arrive in the lobby.

While each user's data can be stored separately from other users' dataregardless of the employers of each user, some data can beorganization-wide data shared or accessible by several users or all ofthe users for a given organization that is a tenant. Thus, there can besome data structures managed database system 16 that are allocated atthe tenant level while other data structures can be managed at the userlevel. Because an MTS can support multiple tenants including possiblecompetitors, the MTS can have security protocols that keep data,applications, and application use separate. Also, because many tenantsmay opt for access to an MTS rather than maintain their own system,redundancy, up-time, and backup are additional functions that can beimplemented in the MTS. In addition to user-specific data andtenant-specific data, database system 16 also can maintain system leveldata usable by multiple tenants or other data. Such system level datacan include industry reports, news, postings, and the like that aresharable among tenants.

In some implementations, user systems 12 (which also can be clientsystems) communicate with application servers 100 to request and updatesystem-level and tenant-level data from database system 16. Suchrequests and updates can involve sending one or more queries to tenantdatabase 22 or system database 24. Database system 16 (for example, anapplication server 100 in database system 16) can automatically generateone or more SQL statements (for example, one or more SQL queries)designed to access the desired information. System database 24 cangenerate query plans to access the requested data from the database. Theterm “query plan” generally refers to one or more operations used toaccess information in a database system.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefined orcustomizable categories. A “table” is one representation of a dataobject and may be used herein to simplify the conceptual description ofobjects and custom objects according to some implementations. It shouldbe understood that “table” and “object” may be used interchangeablyherein. Each table generally contains one or more data categorieslogically arranged as columns or fields in a viewable schema. Each rowor element of a table can contain an instance of data for each categorydefined by the fields. For example, a CRM database can include a tablethat describes a customer with fields for basic contact information suchas name, address, phone number, fax number, etc. Another table candescribe a purchase order, including fields for information such ascustomer, product, sale price, date, etc. In some MTS implementations,standard entity tables can be provided for use by all tenants. For CRMdatabase applications, such standard entities can include tables forcase, account, contact, lead, and opportunity data objects, eachcontaining pre-defined fields. As used herein, the term “entity” alsomay be used interchangeably with “object” and “table.”

In some MTS implementations, tenants are allowed to create and storecustom objects, or may be allowed to customize standard entities orobjects, for example by creating custom fields for standard objects,including custom index fields. Commonly assigned U.S. Pat. No.7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASESYSTEM, issued on Aug. 17, 2010, and hereby incorporated by referenceherein in its entirety and for all purposes, teaches systems and methodsfor creating custom objects as well as customizing standard objects in amulti-tenant database system. In some implementations, for example, allcustom entity data rows are stored in a single multi-tenant physicaltable, which may contain multiple logical tables per organization. It istransparent to customers that their multiple “tables” are in fact storedin one large table or that their data may be stored in the same table asthe data of other customers.

FIG. 2A shows a system diagram illustrating example architecturalcomponents of an on-demand database service environment 200 according tosome implementations. A client machine communicably connected with thecloud 204, generally referring to one or more networks in combination,as described herein, can communicate with the on-demand database serviceenvironment 200 via one or more edge routers 208 and 212. A clientmachine can be any of the examples of user systems 12 described above.The edge routers can communicate with one or more core switches 220 and224 through a firewall 216. The core switches can communicate with aload balancer 228, which can distribute server load over different pods,such as the pods 240 and 244. Pods 240 and 244, which can each includeone or more servers or other computing resources, can perform dataprocessing and other operations used to provide on-demand services.Communication with the pods can be conducted via pod switches 232 and236. Components of the on-demand database service environment cancommunicate with database storage 256 through a database firewall 248and a database switch 252.

As shown in FIGS. 2A and 2B, accessing an on-demand database serviceenvironment can involve communications transmitted among a variety ofdifferent hardware or software components. Further, the on-demanddatabase service environment 200 is a simplified representation of anactual on-demand database service environment. For example, while onlyone or two devices of each type are shown in FIGS. 2A and 2B, someimplementations of an on-demand database service environment can includeanywhere from one to many devices of each type. Also, the on-demanddatabase service environment need not include each device shown in FIGS.2A and 2B or can include additional devices not shown in FIGS. 2A and2B.

Additionally, it should be appreciated that one or more of the devicesin the on-demand database service environment 200 can be implemented onthe same physical device or on different hardware. Some devices can beimplemented using hardware or a combination of hardware and software.Thus, terms such as “data processing apparatus,” “machine,” “server,”“device,” and “processing device” as used herein are not limited to asingle hardware device; rather, references to these terms can includeany suitable combination of hardware and software configured to providethe described functionality.

Cloud 204 is intended to refer to a data network or multiple datanetworks, often including the Internet. Client machines communicablyconnected with cloud 204 can communicate with other components of theon-demand database service environment 200 to access services providedby the on-demand database service environment. For example, clientmachines can access the on-demand database service environment toretrieve, store, edit, or process information. In some implementations,edge routers 208 and 212 route packets between cloud 204 and othercomponents of the on-demand database service environment 200. Forexample, edge routers 208 and 212 can employ the Border Gateway Protocol(BGP). The BGP is the core routing protocol of the Internet. Edgerouters 208 and 212 can maintain a table of Internet Protocol (IP)networks or ‘prefixes,’ which designate network reachability amongautonomous systems on the Internet.

In some implementations, firewall 216 can protect the inner componentsof the on-demand database service environment 200 from Internet traffic.Firewall 216 can block, permit, or deny access to the inner componentsof on-demand database service environment 200 based upon a set of rulesand other criteria. Firewall 216 can act as one or more of a packetfilter, an application gateway, a stateful filter, a proxy server, orany other type of firewall.

In some implementations, core switches 220 and 224 are high-capacityswitches that transfer packets within the on-demand database serviceenvironment 200. Core switches 220 and 224 can be configured as networkbridges that quickly route data between different components within theon-demand database service environment. In some implementations, the useof two or more core switches 220 and 224 can provide redundancy orreduced latency.

In some implementations, pods 240 and 244 perform the core dataprocessing and service functions provided by the on-demand databaseservice environment. Each pod can include various types of hardware orsoftware computing resources. An example of the pod architecture isdiscussed in greater detail with reference to FIG. 2B. In someimplementations, communication between pods 240 and 244 is conducted viapod switches 232 and 236. Pod switches 232 and 236 can facilitatecommunication between pods 240 and 244 and client machines communicablyconnected with cloud 204, for example, via core switches 220 and 224.Also, pod switches 232 and 236 may facilitate communication between pods240 and 244 and database storage 256. In some implementations, loadbalancer 228 can distribute workload between pods 240 and 244. Balancingthe on-demand service requests between the pods can assist in improvingthe use of resources, increasing throughput, reducing response times, orreducing overhead. Load balancer 228 may include multilayer switches toanalyze and forward traffic.

In some implementations, access to database storage 256 is guarded by adatabase firewall 248. Database firewall 248 can act as a computerapplication firewall operating at the database application layer of aprotocol stack. Database firewall 248 can protect database storage 256from application attacks such as SQL injection, database rootkits, andunauthorized information disclosure. In some implementations, databasefirewall 248 includes a host using one or more forms of reverse proxyservices to proxy traffic before passing it to a gateway router.Database firewall 248 can inspect the contents of database traffic andblock certain content or database requests. Database firewall 248 canwork on the SQL application level atop the TCP/IP stack, managingapplications' connection to the database or SQL management interfaces aswell as intercepting and enforcing packets traveling to or from adatabase network or application interface.

In some implementations, communication with database storage 256 isconducted via database switch 252. Multi-tenant database storage 256 caninclude more than one hardware or software components for handlingdatabase queries. Accordingly, database switch 252 can direct databasequeries transmitted by other components of the on-demand databaseservice environment (for example, pods 240 and 244) to the correctcomponents within database storage 256. In some implementations,database storage 256 is an on-demand database system shared by manydifferent organizations as described above with reference to FIGS. 1Aand 1B.

FIG. 2B shows a system diagram further illustrating examplearchitectural components of an on-demand database service environmentaccording to some implementations. Pod 244 can be used to renderservices to a user of on-demand database service environment 200. Insome implementations, each pod includes a variety of servers or othersystems. Pod 244 includes one or more content batch servers 264, contentsearch servers 268, query servers 282, file servers 286, access controlsystem (ACS) servers 280, batch servers 284, and app servers 288. Pod244 also can include database instances 290, quick file systems (QFS)292, and indexers 294. In some implementations, some or allcommunication between the servers in pod 244 can be transmitted via podswitch 236.

In some implementations, app servers 288 include a hardware or softwareframework dedicated to the execution of procedures (for example,programs, routines, scripts) for supporting the construction ofapplications provided by on-demand database service environment 200 viapod 244. In some implementations, the hardware or software framework ofan app server 288 is configured to execute operations of the servicesdescribed herein, including performance of the blocks of various methodsor processes described herein. In some alternative implementations, twoor more app servers 288 can be included and cooperate to perform suchmethods, or one or more other servers described herein can be configuredto perform the disclosed methods.

Content batch servers 264 can handle requests internal to the pod. Somesuch requests can be long-running or not tied to a particular customer.For example, content batch servers 264 can handle requests related tolog mining, cleanup work, and maintenance tasks. Content search servers268 can provide query and indexer functions. For example, the functionsprovided by content search servers 268 can allow users to search throughcontent stored in the on-demand database service environment. Fileservers 286 can manage requests for information stored in file storage298. File storage 298 can store information such as documents, images,and binary large objects (BLOBs). In some embodiments, file storage 298is a shared storage. By managing requests for information using fileservers 286, the image footprint on the database can be reduced. Queryservers 282 can be used to retrieve information from one or more filesystems. For example, query servers 282 can receive requests forinformation from app servers 288 and transmit information queries tonetwork file systems (NFS) 296 located outside the pod.

Pod 244 can share a database instance 290 configured as a multi-tenantenvironment in which different organizations share access to the samedatabase. Additionally, services rendered by pod 244 may call uponvarious hardware or software resources. In some implementations, ACSservers 280 control access to data, hardware resources, or softwareresources. In some implementations, batch servers 284 process batchjobs, which are used to run tasks at specified times. For example, batchservers 284 can transmit instructions to other servers, such as appservers 288, to trigger the batch jobs.

In some implementations, QFS 292 is an open source file system availablefrom Sun Microsystems, Inc. The QFS can serve as a rapid-access filesystem for storing and accessing information available within the pod244. QFS 292 can support some volume management capabilities, allowingmany disks to be grouped together into a file system. File systemmetadata can be kept on a separate set of disks, which can be useful forstreaming applications where long disk seeks cannot be tolerated. Thus,the QFS system can communicate with one or more content search servers268 or indexers 294 to identify, retrieve, move, or update data storedin NFS 296 or other storage systems.

In some implementations, one or more query servers 282 communicate withthe NFS 296 to retrieve or update information stored outside of the pod244. NFS 296 can allow servers located in pod 244 to access informationto access files over a network in a manner similar to how local storageis accessed. In some implementations, queries from query servers 282 aretransmitted to NFS 296 via load balancer 228, which can distributeresource requests over various resources available in the on-demanddatabase service environment. NFS 296 also can communicate with QFS 292to update the information stored on NFS 296 or to provide information toQFS 292 for use by servers located within pod 244.

In some implementations, the pod includes one or more database instances290. Database instance 290 can transmit information to QFS 292. Wheninformation is transmitted to the QFS, it can be available for use byservers within pod 244 without using an additional database call. Insome implementations, database information is transmitted to indexer294. Indexer 294 can provide an index of information available indatabase instance 290 or QFS 292. The index information can be providedto file servers 286 or QFS 292. In some embodiments, there may be aplurality of database instances stored and accessed throughout thesystem.

FIG. 3 illustrates a diagrammatic representation of a machine in theexemplary form of a computer system 300 within which a set ofinstructions (e.g., for causing the machine to perform any one or moreof the methodologies discussed herein) may be executed. In alternativeimplementations, the machine may be connected (e.g., networked) to othermachines in a LAN, a WAN, an intranet, an extranet, or the Internet. Themachine may operate in the capacity of a server or a client machine inclient-server network environment, or as a peer machine in apeer-to-peer (or distributed) network environment. The machine may be apersonal computer (PC), a tablet PC, a set-top box (STB), a PDA, acellular telephone, a web appliance, a server, a network router, switchor bridge, or any machine capable of executing a set of instructions(sequential or otherwise) that specify actions to be taken by thatmachine. Further, while only a single machine is illustrated, the term“machine” shall also be taken to include any collection of machines thatindividually or jointly execute a set (or multiple sets) of instructionsto perform any one or more of the methodologies discussed herein. Someor all of the components of the computer system 300 may be utilized byor illustrative of any of the electronic components described herein(e.g., any of the components illustrated in or described with respect toFIGS. 1A, 1B, 2A, and 2B).

The exemplary computer system 300 includes a processing device(processor) 302, a main memory 304 (e.g., ROM, flash memory, dynamicrandom access memory (DRAM) such as synchronous DRAM (SDRAM) or RambusDRAM (RDRAM), etc.), a static memory 306 (e.g., flash memory, staticrandom access memory (SRAM), etc.), and a data storage device 320, whichcommunicate with each other via a bus 310.

Processor 302 represents one or more general-purpose processing devicessuch as a microprocessor, central processing unit, or the like. Moreparticularly, processor 302 may be a complex instruction set computing(CISC) microprocessor, reduced instruction set computing (RISC)microprocessor, very long instruction word (VLIW) microprocessor, or aprocessor implementing other instruction sets or processors implementinga combination of instruction sets. Processor 302 may also be one or morespecial-purpose processing devices such as an application specificintegrated circuit (ASIC), a field programmable gate array (FPGA), adigital signal processor (DSP), network processor, or the like.Processor 302 is configured to execute instructions 326 for performingthe operations and steps discussed herein. Processor 302 may have one ormore processing cores.

Computer system 300 may further include a network interface device 308.Computer system 300 also may include a video display unit 312 (e.g., aliquid crystal display (LCD), a cathode ray tube (CRT), or a touchscreen), an alphanumeric input device 314 (e.g., a keyboard), a cursorcontrol device 316 (e.g., a mouse or touch screen), and a signalgeneration device 322 (e.g., a loudspeaker).

Power device 318 may monitor a power level of a battery used to powercomputer system 300 or one or more of its components. Power device 318may provide one or more interfaces to provide an indication of a powerlevel, a time window remaining prior to shutdown of computer system 300or one or more of its components, a power consumption rate, an indicatorof whether computer system is utilizing an external power source orbattery power, and other power related information. In someimplementations, indications related to power device 318 may beaccessible remotely (e.g., accessible to a remote back-up managementmodule via a network connection). In some implementations, a batteryutilized by power device 318 may be an uninterruptable power supply(UPS) local to or remote from computer system 300. In suchimplementations, power device 318 may provide information about a powerlevel of the UPS.

Data storage device 320 may include a computer-readable storage medium324 (e.g., a non-transitory computer-readable storage medium) on whichis stored one or more sets of instructions 326 (e.g., software)embodying any one or more of the methodologies or functions describedherein. Instructions 326 may also reside, completely or at leastpartially, within main memory 304 and/or within processor 302 duringexecution thereof by computer system 300, main memory 304, and processor302 also constituting computer-readable storage media. Instructions 326may further be transmitted or received over a network 330 (e.g., network14) via network interface device 308.

In one implementation, instructions 326 include instructions forperforming any of the implementations described herein. Whilecomputer-readable storage medium 324 is shown in an exemplaryimplementation to be a single medium, it is to be understood thatcomputer-readable storage medium 324 may include a single medium ormultiple media (e.g., a centralized or distributed database, and/orassociated caches and servers) that store the one or more sets ofinstructions.

FIG. 4 is a diagram of a self-managing database system 400 using machinelearning according to some embodiments. According to some embodiments,self-managing database system 400 is executed by one or more of databasesystem 16 of FIG. 1 , pod 240 or 244 of FIG. 2A, batch servers 284,database instance 290, or app servers 288 of FIG. 2B, and/or processor302 of FIG. 3 . In an embodiment, self-managing database system 400 isinvoked in the cloud computing environment once every five minutes. Inother embodiments, other frequencies are used.

Metrics collector 402 collects DB and/or operating system (OS) metrics,error codes, and system/DB change information (collectively calledmetrics data herein) from any one or more of the components described inFIGS. 1, 2, and 3 . Metrics data are collected at any frequency, atpredetermined times, or upon occurrence of an error. It is anticipatedthat in embodiments of the present invention the quantity and size ofmetric data received from system components worldwide in real time willbe very large (e.g., thousands, tens of thousands, or even hundreds ofthousands of metric data values per unit time, and tens, hundreds, oreven thousands of gigabytes of data per unit time). In one embodiment,the unit of time is a minute, but the unit of time is configurable.Metrics collector 402 accepts the metrics data and stores metrics datain metrics database 404 for subsequent use by self-managing databasesystem 400.

FIG. 5 is a diagram of metrics data collection according to someembodiments. Dynamic configuration 502 comprises a data structure todefine the metrics data that is to be collected and the frequency ofcollection. In an embodiment, dynamic configuration 502 is specified bya system administrator. In an embodiment, dynamic configuration 502 is ascript written in a markup language. Metrics collector 402 reads dynamicconfiguration 502 to control operations of OS metrics collector 504, DBmetrics collector 506, log scanner 508, and change scanner 510 ofmetrics collector 402. OS metrics collector 504 collects OS metrics dataand stores the OS metrics data in OS data processing area 512 of memory304. DB metrics collector 506 collects DB metrics data and stores the DBmetrics data in DB data processing area 514 of memory 304. Log scanner508 collects metrics data from log files and stores the log filesmetrics data in log data processing area 516 of memory 304. Changescanner 510 collects metrics data from changes made to DBs or othersoftware components and stores the changes metrics data in changescanner data processing area 518 of memory 304.

Thus, metrics collector 402 stores metrics data in memory 304 for use inreal time processing of recently obtained metrics data by self-managingdatabase system 400. In one embodiment, the time period for this metricsdata is the past two hours and is updated every minute. Thus, memory 304always stores the latest two hours of metrics data. In otherembodiments, other time periods may be used for recent metrics data(e.g., 30 minutes, one hour, four hours, a day, etc.) and the updateschedule may be changed (e.g., every two minutes, every five minutes,every ten minutes, and so on). In one embodiment, metrics data issegregated in memory 304 into separate portions of memory as describedabove. Thus, for example, OS metrics data is stored in OS dataprocessing area 512, DB metrics data is stored in DB data processingarea 514, log metrics data is stored in log data processing area 516,and change scanner data is stored in change scanner data processing area518. In other embodiments, the different types of metrics data may beco-mingled and stored in the same area of memory 304. In someembodiments, the different types of metrics data are tagged to identifythe type of data. Data loader 520 stores metrics data in metricsdatabase 404. In an embodiment, metrics database 404 is a part of systemdatabase 24 of FIG. 1 and/or data storage device 320 of FIG. 3 . In anembodiment, metrics data includes historical metrics data and recentmetrics data. In one embodiment, historical metrics data includesmetrics data received longer than two hours ago, and recent metrics dataincludes metrics data received less than or equal to two hours ago. Inother embodiments, other time thresholds may be used (e.g., 30 minutes,one hour, and so on). Thus, in some embodiments, the metrics collector402 stores metrics data collected within a most recent selected periodof time in memory 304 of the computing system (e.g., a random accessmemory (RAM) and metrics data collected earlier than the most recentselected period of time (e.g., historical metrics data) is stored in along term storage device (e.g., hard drive, solid state drive, etc.) ofthe computing system by data loader 520. In one embodiment, data loader520 copies metrics data from memory 304 into metrics database 404 on aperiodic basis, such as every minute. In other embodiments, other timeperiods are used. This ensures that if the system crashes, the metricsdata in memory is not lost.

Returning back to FIG. 4 , metrics database 404 is input to anomalydetector 406. Anomaly detector 406 analyzes metrics data in metricsdatabase 404 and/or memory 304 to generate metrics and anomalies 408.

In embodiment of the present invention, production DB infrastructurecomponents are heterogeneous and training a model which can fit well forall DB components of the cloud computing environment is tedious and timeintensive for system engineers. In response, an anomaly detectionapproach is used in embodiments to detect abnormal patterns in metricsdatabase 404, then the results of anomaly detection analysis are passedto a Bayesian network (in one embodiment) for root cause analysis.

One known technique for identifying anomalies includes computation of anExtreme Student Deviate (ESD). In ESD, a “Z score” for an observed valueis computed using the following formula:ESD_(zscore)=(x _(k)−mean(x))/σwhere x_(k) is an observed metric data value, X is a distribution, and σis the standard deviation. Since the ESD formula is based on mean ( )and standard deviation, this ESD formula is highly sensitive to outliervalues and is not suitable for managing databases in the cloud computingenvironment.

In embodiments of the present invention, a new anomaly detection formulafor a Z score is used:zscore(of x _(r))=(x _(r)−median(X _(h)))÷(median(|X _(h(i))−median(X_(h))|_(i=1 . . . n)))where X_(r) is a metrics data sample value from recent metrics data,X_(h) are metrics data sample values of “h” hours (e.g., historicalmetrics data set values), and X_(h(i) where i=1 . . . n) are metricsdata sample values in X_(h).

FIGS. 6A and 6B are flow diagrams 600, 620 of anomaly detector 406processing according to some embodiments. In an embodiment, anomalydetector 406 is executed repeatedly while a cloud computing environmentis operational at a frequency that is selectable. At block 602, anomalydetector 406 gets a previously computed metric summary and a lastmetrics computation time of the metric summary from metrics database 404in data storage device 320 and loads this data into memory 304. In anembodiment, the metric summary includes the median, median absolutedeviation (MAD) and critical threshold value for a metric as performedbelow at block 610. At block 604, in one embodiment, anomaly detector406 determines if the last metrics computation time is more than 24hours old (e.g., as compared to the current time). In other embodiments,other time periods may be used (e.g., two days, three days, 12 hours, 6hours, and so on). In one embodiment, if 24 hours has not passed sincethe last metrics computation, then processing continues at block 6B onFIG. 6B. In one embodiment, if at least 24 hours has passed, thenprocessing continues with block 606. At block 606, if anomaly detector406 determines that the current time is not off-peak, then processingcontinues at block 6B of FIG. GB. In one embodiment, off-peak times areoutside of normal business hours for a geographic location, such asbetween 5 μm and 9 am. In other embodiments, other times for off-peakmay be used. If the current time is off-peak, then at block 608 anomalydetector 406 gets historical metrics data for one or more metrics frommetrics database 404. In an embodiment, the historical metrics dataincludes two months of metrics data from metrics database 404 for eachmetric. In other embodiment, other amounts of historical metrics dataare obtained.

At block 610, anomaly detector 406 computes a metrics summary of amedian, a MAD, and a critical threshold value based on a predeterminedsignificance level (e.g., alpha=0.02) for each metric based at least inpart on the historical metrics data. In an embodiment, thesecomputations are performed during an off-peak time for the cloudcomputing environment, since these computations are typicallycomputationally intensive. At block 612, anomaly detector 406 stores themetric summary and current metric computation time in metrics database404.

Processing continues with block 622 of FIG. 6B, where anomaly detector406 gets recent metrics data from memory 304. In an embodiment, therecent metrics data includes the last five minutes of metrics data forone or more metrics. In other embodiments, other time thresholds can beused. In an embodiment, one or more metrics are included in the recentmetrics data and anomaly detector processing includes performing blocks624 through 634 for each metric. In an embodiment, five data samples aretaken for each metric represented in the recent metrics data. In otherembodiment, other numbers of samples per metric may be used. At block624, for a current metric the anomaly detector computes a Z score foreach sample of the current metric in real time using the metric summary(read from metrics database 404) and the anomaly detection formula ofembodiments of the present invention. The Z score represents an anomalyvalue for the sample.

At block 626, the Z score of each sample is compared against the currentmetric's critical threshold value (Z critical) to check if the currentsample is an outlier or not.Test(|zscore(of x _(r))|>|Z _(critical)(@a)|)

At block 626, if the absolute value of the Z score for a sample isgreater than the critical threshold then anomaly detector 406 at block630 marks the sample as anomalous and saves this information. Otherwise,anomaly detector 406 marks the sample as normal and saves thisinformation. In one embodiment, anomaly detector may pre-set all samplesof a metric as normal and only change the annotation of the sample if ananomaly is detected. At block 632, if the number of anomalous samples inthe current metric is greater than a predetermined threshold, then thecurrent metric is marked as anomalous at block 634 and this informationis saved in an anomalous metric data structure in memory 304 (e.g., partof metrics data and anomalies 408). In an embodiment, the threshold maybe three when the sample size is five (e.g., when three out of fivesamples are anomalous, then the current metric is considered to beanomalous). Other sample sizes and thresholds may be used in variousembodiments. Processing continues at block 636, where anomaly detectordetermines if all metrics have been processed for the second set. If so,anomaly detector processing is done at block 638 when all samples of allmetrics of the recent metrics data have been processed. Otherwise,anomaly detector processing continues with the next metric of the recentmetrics data at block 624.

FIG. 7 is an example graph of a Z score distribution according to someembodiments. In this example, a Z score greater than or equal to 2 isconsidered to be anomalous 702, and a Z score less than or equal to −2is considered to be anomalous 704. A Z score between −2 and 2 isconsidered to be non-anomalous 706.

Returning to FIG. 4 , metrics and anomalies 408 includes metrics datafrom metrics database 404 and anomalies identified by anomaly detector406. Metrics and anomalies 408 information is input along with knowledgerepresentation 412 to causal inference engine 410. In an embodiment,knowledge representation 412 is a Bayesian network. In otherembodiments, other structures for knowledge representation may be used.Causal inference engine 410 determines a root cause of an issuehighlighted by one or more anomalies detected by anomaly detector 406.Metrics and their relationships are modeled in knowledge representation412. In an embodiment, the Bayesian network is populated a priori usingsubject matter expertise (e.g., from DB engineers, for example) andhistorical data insights. A conditional probability distribution tableis generated for each node and evaluated using historical data insights.

FIG. 8 is an example diagram of a knowledge representation 412 accordingto some embodiments. In the example, nodes in the Bayesian network 800are built and populated for analyzing a database infrastructure (such asdatabase system 16). In other examples, other Bayesian networks may bebuilt and populated based on subject matter knowledge for a specificscenario. Each node of the Bayesian network includes a conditionalprobability distribution table as shown below. Each node represents anevent such as a possible error condition in database system 16 andrelationships with other nodes in the Bayesian network. By analyzing theBayesian network, causal inference engine 410 determines a most likelyroot cause for an issue indicated by anomalies.

TABLE 1 App Lock (AL) 802 APP LOCK (AL) CPD AL_0 0.7 AL_1 0.3

TABLE 2 Row Lock (RL) 804 P(RL|AL) AL AL_0 AL_1 RL_0 0.9 0.2 RL_1 0.10.8

TABLE 3 Application (APP) 806 P(APP|RL) RL RL_0 RL_1 APP_0 0.9 0.2 APP_10.1 0.8

TABLE 4 Load 812 Load CPD Load_0 0.7 Load_1 0.2

TABLE 5 CPU 814 CPU CPD CPU_0 0.7 CPU_1 0.3

TABLE 6 System Events (SYS) 816 P(SYS|Load, CPU) Load Load_0 Load_1Load_0 Load_1 CPU CPU_0 CPU_1 CPU_0 CPU_1 SYS_0 0.9 0.1 0.2 0.05 SYS_10.1 0.9 0.8 0.95

TABLE 7 Temperature Issue (TI) 818 TEMP ISSUE CPD TI_0 0.7 TI_1 0.3

TABLE 8 SS Contention (SSC) 820 P(SSC|TI) TI TI_0 TI_1 SSC_0 0.9 0.2SSC_1 0.1 0.8

TABLE 9 Concurrency (CON) 822 P(CON|SSC) SSC SSC_0 SSC_1 CON_0 0.9 0.2CON_1 0.1 0.8

TABLE 10 I/O Failure (IOF) 824 IOF CPD IOF_0 0.4 IOF_1 0.6

TABLE 11 Storage Latency (SL) 826 P(SL|IOF) IOF IOF_0 IOF_1 SL_0 0.9 0.1SL_1 0.1 0.9

TABLE 12 DB File Seq (DBFS) 828 P(DBFS|SL) SL SL_0 SL_1 DBFS_0 0.9 0.2DBFS_1 0.1 0.8

TABLE 13 Log File Parallel (LFP) 834 P(LFP|SL) SL SL_0 SL_1 LFP_0 0.90.2 LFP_1 0.1 0.8

TABLE 14 I/O (IO) 830 P(IO|LFP, DBFS) LFP LFP_0 LFP_0 LFP_1 LFP_1 DBFSDBFS_0 DBFS_1 DBFS_0 DBFS_1 IO_0 0.9 0.1 0.2 0.05 IO_1 0.1 0.9 0.8 0.95

TABLE 15 Multiple DB bugs (DBG) 832 DBG CPD DBG_0 0.8 DBG_1 0.2

TABLE 16 Log File Sync (LFS) 836 P(LFS|, DBG, LFP) DBG DBG_0 DBG_0 DBG_1DBG_1 LFP LFP_0 LFP_1 LFP_0 LFP_1 LFS_0 0.9 0.1 0.2 0.05 LFS_1 0.1 0.90.8 0.95

TABLE 17 Commit (COM) 838 P(COM|LFS) LFS LFS_0 LFS_1 COM_0 0.9 0.1 COM_10.1 0.9

TABLE 18 DB Events 808 P(DB_Events|COM, IO, CON, APP COM COM_0 COM_0COM_0 COM_0 COM_0 . . . COM_1 IO IO_0 IO_0 IO_0 IO_0 IO_1 . . . IO_1 CONCON_0 CON_0 CON_1 CON_1 CON_0 . . . CON_1 APP APP_0 APP_1 APP_0 APP_1APP_0 . . . APP_11 DB_Events_0 0.95 0.2 0.2 0.1 0.2 . . . 0 DB_Events_10.5 0.8 0.8 0.9 0.8 . . . 1

TABLE 19 DB Health (DBH) 810 P(DBH| DB_Events), SYS) DB_EventsDB_Events_0 DB_Events_0 DB_Events_1 DB_Events1 SYS SYS_0 SYS_1 SYS_0SYS_1 DBH_0 0.9 0.2 0.1 0.05 DBH_1 0.1 0.8 0.9 0.95

FIG. 9 is a flow diagram 900 of causal inference engine 410 processingaccording to some embodiments. At block 902, causal inference engine 410gets anomalous metrics (as determined by anomaly detector 406 in FIGS.6A and 6B) from metrics and anomalies 408. At block 904, causalinference engine 410 processes the anomalous metrics for the anomalousmetrics data structure created at block 634 and marks nodescorresponding to anomalous metrics in knowledge representation 412(e.g., a node such as app lock 802 of Bayesian network 800). In anembodiment, a node with an anomalous metric is marked as an “evidencenode” in Bayesian network 800. At block 906, for each marked node (e.g.,each evidence node), causal inference engine 410 traverses from themarked node to a leaf node (e.g., a possible root cause node) and fromthe marked node to a root (impact) node of Bayesian network 800. Thecombination of the two traversals is a potential root cause path. Thepotential root cause path is saved. At block 908, causal inferenceengine 410, for each potential root cause path, computes a probabilityof the leaf node for the potential root cause path being the root causeof the issue indicated by the anomalous metrics data. In an embodiment,the probability is computed using Bayes Theorem. At block 910, causalinference engine 410 determines the path that has the highestprobability for the leaf node and marks the path as the root cause path.At block 912, the leaf node with the highest probability is marked asthe root cause of the issue. The root cause is output as inferenceconclusions 414.

In one illustrative example, assume anomaly detector 406 detectsanomalies for log file sync 836, log file parallel write 834, and DBsequential read 828 events of FIG. 8 . Based on example Bayesian network800 and the tables shown above, the probability of an I/O issue is92.22% and the probability of a DB bug is 20.88%. Since the probabilityof an I/O issue is higher than the probability of a DB bug, causalinference engine 410 determines that the root cause of the issue is anI/O issue. This can be seen by a cause and effect chain of nodes I/Ofailure 824→storage latency 826→log file parallel write 834→log filesync 836→commit 838→DB events 808→DB health 810.

In another illustrative example, assume anomaly detector 406 detectsanomalies for log file sync 836, however log file parallel write 834 andDB file sequential read 828 events are reported as normal. Based onexample Bayesian network 800 and the tables shown above, the probabilityof an I/O issue is 19.32% and the probability of a DB bug is 66.67%.Since the probability of a DB bug is higher than the probability of anI/O issue, causal inference engine 410 determines that the root cause ofthe issue is a DB bug. This can be seen by a cause and effect chain ofnodes DB bug 832→log file sync 836→commit 838→DB events 808→DB health810.

Turning back to FIG. 4 , inference conclusions 414 are input toself-healing engine 416, along with healing rules 418. Self-healingengine 416 takes specified pre-defined remedial actions in response toinference conclusions 414 (including one or more root causes asdetermined by causal inference engine 410) to fix one or more errors indatabase systems 16 and/or other software and/or hardware components ofthe computing system indicated by the anomalies. Examples of remedialactions include killing one or more database sessions which is causingapplication level locks, killing the database session using hightemporary table space usages or other resources, restarting serviceswhich are hung up, and so on. Self-healing engine 416 gets theidentified root cause and reads a self-healing action name and scriptfrom healing rules 418 for the identified root cause in inferenceconclusions 414. Self-healing engine 416 executes one or more healingactions 420 using the script to fix the issue identified by the rootcause. In this way, self-healing engine 416 automatically resolves theissue when possible. If the issue cannot be automatically resolved, inan embodiment a case is created in a case management system (not shown)with details of anomalies detected and identified root cause. The casewill then be handled using a manual approach by system administratorsand/or systems engineers.

Finally, visualization and reporting 422 is executed to display andreport the anomalies and/or root causes to system administrators and/orDB engineers. In an embodiment, the visualization and reporting are doneusing a web-based user interface. In an embodiment, the user interfacecomprises an analytic dashboard. In another embodiment, thevisualization and reporting are done using reports (such as hypertextmarkup language (HTML) reports) attached to the case in the casemanagement system for manual review of the issue.

Embodiments of the present invention provide at least severaladvantages. Because of the complexity involved, training and developinga model to capture all possible scenarios is laborious. In embodiments,the model doesn't need extensive training because the anomaly detectionapproach is used to detect abnormalities in the cloud computingenvironments having large numbers of databases. In embodiments, themodel captures expert/engineer knowledge with accuracy and enables thesystem to make accurate predictions, performs impact analysis, and makesa self-healing decision. The combination of anomaly detection and use ofa Bayesian network for the knowledge representation of experts/engineersensures effectiveness in identifying and fixing errors. The accuracy incapturing an anomaly and performing causal inference with self-healingactions is high within this model because the cloud computinginfrastructure component's metrics are heavily used to perform rootcause analysis and make remediation decisions. Embodiments also helpsystem administrators and/or systems engineers to detect new and complexunknown situations in the computing system which were not previouslyhumanly possible to detect, thereby improving the resiliency of thecloud computing infrastructure. Metrics can be correlated on the fly andthe expert knowledge representation helps to find multiple cause andeffect relations given the confidence level and given the evidence.

Examples of systems, apparatuses, computer-readable storage media, andmethods according to the disclosed implementations are described in thissection. These examples are being provided solely to add context and aidin the understanding of the disclosed implementations. It will thus beapparent to one skilled in the art that the disclosed implementationsmay be practiced without some or all of the specific details provided.In other instances, certain process or method operations, also referredto herein as “blocks,” have not been described in detail in order toavoid unnecessarily obscuring the disclosed implementations. Otherimplementations and applications also are possible, and as such, thefollowing examples should not be taken as definitive or limiting eitherin scope or setting.

In the detailed description, references are made to the accompanyingdrawings, which form a part of the description and in which are shown,by way of illustration, specific implementations. Although thesedisclosed implementations are described in sufficient detail to enableone skilled in the art to practice the implementations, it is to beunderstood that these examples are not limiting, such that otherimplementations may be used and changes may be made to the disclosedimplementations without departing from their spirit and scope. Forexample, the blocks of the methods shown and described herein are notnecessarily performed in the order indicated in some otherimplementations. Additionally, in some other implementations, thedisclosed methods may include more or fewer blocks than are described.As another example, some blocks described herein as separate blocks maybe combined in some other implementations. Conversely, what may bedescribed herein as a single block may be implemented in multiple blocksin some other implementations. Additionally, the conjunction “or” isintended herein in the inclusive sense where appropriate unlessotherwise indicated; that is, the phrase “A, B, or C” is intended toinclude the possibilities of “A,” “B,” “C,” “A and B,” “B and C,” “A andC,” and “A, B, and C.”

The words “example” “exemplary” are used herein to mean serving as anexample, instance, or illustration. Any aspect or design describedherein as “example” or “exemplary” is not necessarily to be construed aspreferred or advantageous over other aspects or designs. Rather, use ofthe words “example” or “exemplary” is intended to present concepts in aconcrete fashion.

In addition, the articles “a” and “an” as used herein and in theappended claims should generally be construed to mean “one or more”unless specified otherwise or clear from context to be directed to asingular form. Reference throughout this specification to “animplementation,” “one implementation,” “some implementations,” or“certain implementations” indicates that a particular feature,structure, or characteristic described in connection with theimplementation is included in at least one implementation. Thus, theappearances of the phrase “an implementation,” “one implementation,”“some implementations,” or “certain implementations” in variouslocations throughout this specification are not necessarily allreferring to the same implementation.

Some portions of the detailed description may be presented in terms ofalgorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the manner used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is herein, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, or otherwise manipulated. It has provenconvenient at times, principally for reasons of common usage, to referto these signals as bits, values, elements, symbols, characters, terms,numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “receiving,” “retrieving,” “transmitting,” “computing,”“generating,” “adding,” “subtracting,” “multiplying,” “dividing,”“optimizing,” “calibrating,” “detecting,” “performing,” “analyzing,”“determining,” “enabling,” “identifying,” “modifying,” “transforming,”“applying,” “aggregating,” “extracting,” “registering,” “querying,”“populating,” “hydrating,” “updating,” or the like, refer to the actionsand processes of a computer system, or similar electronic computingdevice, that manipulates and transforms data represented as physical(e.g., electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission, or display devices.

The specific details of the specific aspects of implementationsdisclosed herein may be combined in any suitable manner withoutdeparting from the spirit and scope of the disclosed implementations.However, other implementations may be directed to specificimplementations relating to each individual aspect, or specificcombinations of these individual aspects. Additionally, while thedisclosed examples are often described herein with reference to animplementation in which a computing environment is implemented in asystem having an application server providing a front end for anon-demand database service capable of supporting multiple tenants, thepresent implementations are not limited to multi-tenant databases ordeployment on application servers. Implementations may be practicedusing other database architectures, i.e., ORACLE®, DB2® by IBM, and thelike without departing from the scope of the implementations claimed.Moreover, the implementations are applicable to other systems andenvironments including, but not limited to, client-server models, mobiletechnology and devices, wearable devices, and on-demand services.

It should also be understood that some of the disclosed implementationscan be embodied in the form of various types of hardware, software,firmware, or combinations thereof, including in the form of controllogic, and using such hardware or software in a modular or integratedmanner. Other ways or methods are possible using hardware and acombination of hardware and software. Any of the software components orfunctions described in this application can be implemented as softwarecode to be executed by one or more processors using any suitablecomputer language such as, for example, C, C++, Java™ (a trademark ofSun Microsystems, Inc.), or Perl using, for example, existing orobject-oriented techniques. The software code can be stored asnon-transitory instructions on any type of tangible computer-readablestorage medium (referred to herein as a “non-transitorycomputer-readable storage medium”). Examples of suitable media includerandom access memory (RAM), read-only memory (ROM), magnetic media suchas a hard-drive or a floppy disk, or an optical medium such as a compactdisc (CD) or digital versatile disc (DVD), flash memory, and the like,or any combination of such storage or transmission devices.Computer-readable media encoded with the software/program code may bepackaged with a compatible device or provided separately from otherdevices (for example, via Internet download). Any such computer-readablemedium may reside on or within a single computing device or an entirecomputer system and may be among other computer-readable media within asystem or network. A computer system, or other computing device, mayinclude a monitor, printer, or other suitable display for providing anyof the results mentioned herein to a user.

The disclosure also relates to apparatuses, devices, and systemadapted/configured to perform the operations herein. The apparatuses,devices, and systems may be specially constructed for their requiredpurposes, may be selectively activated or reconfigured by a computerprogram, or some combination thereof.

In the foregoing description, numerous details are set forth. It will beapparent, however, to one of ordinary skill in the art having thebenefit of this disclosure, that the present disclosure may be practicedwithout these specific details. While specific implementations have beendescribed herein, it should be understood that they have been presentedby way of example only, and not limitation. The breadth and scope of thepresent application should not be limited by any of the implementationsdescribed herein but should be defined only in accordance with thefollowing and later-submitted claims and their equivalents. Indeed,other various implementations of and modifications to the presentdisclosure, in addition to those described herein, will be apparent tothose of ordinary skill in the art from the foregoing description andaccompanying drawings. Thus, such other implementations andmodifications are intended to fall within the scope of the presentdisclosure.

Furthermore, although the present disclosure has been described hereinin the context of a particular implementation in a particularenvironment for a particular purpose, those of ordinary skill in the artwill recognize that its usefulness is not limited thereto and that thepresent disclosure may be beneficially implemented in any number ofenvironments for any number of purposes. Accordingly, the claims setforth below should be construed in view of the full breadth and spiritof the present disclosure as described herein, along with the full scopeof equivalents to which such claims are entitled.

What is claimed is:
 1. A system, comprising: a metrics collector toprocess metrics data from one or more databases of a computing system;an anomaly detector, coupled to the metrics collector, to detect, viathe metrics data, one or more anomalies; a causal inference engine,coupled to the anomaly detector, to mark one or more nodes in aknowledge representation corresponding to the metrics data for the oneor more anomalies and to determine a cause of the one or more anomaliesusing the knowledge representation; and a self-healing engine, coupledto the causal inference engine, to cause at least one remedial actionfor the one or more databases in response to determination of the cause.2. The system of claim 1, wherein the metrics data comprises at leastone of database metrics and operating system metrics.
 3. The system ofclaim 1, wherein the metrics data comprises at least one of log scannermetrics and change scanner metrics.
 4. The system of claim 1, whereinthe metrics collector is to store metrics data collected within a mostrecent selected period of time as recent metrics data in a memory of thecomputing system and metrics data collected earlier than the most recentselected period of time as historical metrics data in a long termstorage device of the computing system.
 5. The system of claim 4,wherein the anomaly detector is to compute a median value, a medianabsolute deviation, and a critical threshold for a metric of thehistorical metrics data.
 6. The system of claim 5, wherein the anomalydetector is to compute an anomaly value called a Z score for a sample ofa metric from the recent metrics data according to a formula: zscore(ofx_(r))=(x_(r)−median(X_(h)))÷(median (IX_(h(i))−median (X_(h)) li=l . .. n)) where x_(r) is a metrics data sample value from the recent metricsdata, X_(h) are metrics data sample values from the historical metricsdata, and X_(h(i)) where i=l . . . n are metrics data sample values inX_(h).
 7. The system of claim 6, wherein the anomaly detector is to markthe sample as anomalous when an absolute value of the Z score of thesample is greater than an absolute value of the critical threshold. 8.The system of claim 7, wherein the anomaly detector is to mark themetric as anomalous when a number of anomalous samples for the metric isgreater than a predetermined threshold.
 9. The system of claim 1,wherein the knowledge representation comprises a Bayesian network. 10.The system of claim 9, wherein the causal inference engine is to marknodes of the Bayesian network corresponding to metrics of the one ormore anomalies; for each marked node, traverse a path in the Bayesiannetwork from the marked node to a leaf node and from the marked node toa root node; for each path, compute a probability of the leaf node beinga root cause; determining a path with the highest probability for theleaf node and mark the path as a root cause path; and marking the leafnode with the highest probability as the root cause.
 11. Acomputer-implemented method comprising: processing metrics data from oneor more databases of a computing system; detecting, via the metricsdata, one or more anomalies; marking one or more nodes in a knowledgerepresentation corresponding to the metrics data for the one or moreanomalies and determining a cause of the one or more anomalies using theknowledge representation; and causing at least one remedial action forthe one or more databases in response to determination of the cause. 12.The computer-implemented method of claim 11, wherein the metrics datacomprises at least one of database metrics and operating system metrics.13. The computer-implemented method of claim 11, wherein the metricsdata comprises at least one of log scanner metrics and change scannermetrics.
 14. The computer-implemented method of claim 11, comprisingstoring metrics data collected within a most recent selected period oftime as recent metrics data in a memory of the computing system andmetrics data collected earlier than the most recent selected period oftime as historical metrics data in a long term storage device of thecomputing system.
 15. The computer-implemented method of claim 14,comprising computing a median value, a median absolute deviation, and acritical threshold for a metric of the historical metrics data.
 16. Thecomputer-implemented method of claim 15, comprising computing an anomalyvalue called a Z score for a sample of a metric from the recent metricsdata according to a formula: zscore(ofx_(r))=(x_(r)−median(X_(h)))÷(median (IX_(h(i))−median (X_(h)) li=l . .. n)) where x_(r) is a metrics data sample value from the recent metricsdata, X_(h) are metrics data sample values from the historical metricsdata, and X_(h(i)) where i=l . . . n are metrics data sample values inX_(h).
 17. The computer-implemented method of claim 16, comprisingmarking the sample as anomalous when an absolute value of the Z score ofthe sample is greater than an absolute value of the critical threshold.18. The computer-implemented method of claim 17, comprising marking themetric as anomalous when a number of anomalous samples for the metric isgreater than a predetermined threshold.
 19. The computer-implementedmethod of claim 11, wherein the knowledge representation comprises aBayesian network.
 20. A tangible, non-transitory computer-readablestorage medium having instructions encoded thereon which, when executedby a processing device, cause the processing device to: process metricsdata from one or more databases of a computing system; detect, via themetrics data, one or more anomalies; mark one or more nodes in aknowledge representation corresponding to the metrics data for the oneor more anomalies and determine a cause of the one or more anomaliesusing the knowledge representation; and cause at least one remedialaction for the one or more databases in response to determination of thecause.